Cisco PIX config statement

Discussion in 'Cisco' started by bruce, Sep 8, 2008.

  1. bruce

    bruce Guest

    Hi,
    I needed help in understanding the following in the Cisco PIX
    config ,
    I have network Object-Groups named SMTP_SERVERS,EXCHANGE_SERVERS
    And a Service object-group named SMTP

    My Query is then why should I be using the following statement in my
    config

    "access-list IN permit tcp object-group EXCHANGE_SERVERS object-group
    SMTP_servers object group SMTP"

    what is the meaning of the above statemen
    bruce, Sep 8, 2008
    #1
    1. Advertising

  2. bruce

    bruce Guest

    On Sep 8, 10:50 pm, "Gabriele Beltrame" <> wrote:
    > "bruce" <> ha scritto nel messaggionews:...
    > | Hi,
    > |  I needed help in understanding the following in the Cisco PIX
    > | config ,
    > |  I have network Object-Groups named SMTP_SERVERS,EXCHANGE_SERVERS
    > |  And a Service object-group named SMTP
    > |
    > | My Query is then why should I be using the following statement in my
    > | config
    > |
    > | "access-list IN permit tcp object-group EXCHANGE_SERVERS object-group
    > | SMTP_servers object group SMTP"
    > |
    > |  what is the meaning of the above statemen
    >
    > Hi,
    >
    > In the access list above  EXCHANGE_SERVERS group represents the source
    > address(es), the SMTP_servers group represents the destination address(es)
    > and the SMTP group represents the destination port(s).
    > The use of the various group types is merely an administration convenience.
    >
    > Regards,
    > Gabriele

    Hi Gabriele,
    Thanks for your response , made things more clear to
    me ,Though there is some more clarification could you please help out
    In the Following Config:

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10



    object-group network SMTP_SERVERS
    network-object host 129.17.10.51
    network-object host 129.17.10.52
    network-object host 129.17.10.53
    network-object host 129.17.10.54



    access-list out permit tcp host 203.17.40.10 host 205.198.114.54 eq
    smtp
    access-list out permit tcp any host 205.198.114.55 eq https
    access-list out permit tcp host 203.17.40.11 host 205.198.114.54eq
    smtp
    access-list out permit tcp any host 205.198.114.53 eq smtp
    access-list out permit tcp host 203.17.40.3 host 205.198.114.54eq
    smtp


    logging host DMZ 129.17.10.53


    ip address outside 205.198.114.49 255.255.255.240
    ip address inside 129.17.10.30 255.255.255.240
    ip address DMZ 129.17.10.78 255.255.255.240

    global (outside) 1 interface
    global (DMZ) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
    static (DMZ,outside) 205.198.114.54 129.17.10.51 netmask
    255.255.255.255 0 0
    static (DMZ,outside) 205.198.114.53 129.17.10.52 netmask
    255.255.255.255 0 0
    static (DMZ,outside) 205.198.114.55 129.17.10.50 netmask
    255.255.255.255 0 0
    static (inside,DMZ) 129.17.8.128 172.27.8.128 netmask 255.255.255.128
    0 0
    static (DMZ,outside) 205.198.114.56 129.17.10.54 netmask
    255.255.255.255 0 0
    static (DMZ,outside) 205.198.114.57 129.17.10.55 netmask
    255.255.255.255 0 0
    static (DMZ,outside) 205.198.114.58 129.17.10.53 netmask
    255.255.255.255 0 0

    access-group out in interface outside
    access-group inside in interface inside
    access-group dmz in interface DMZ
    route outside 0.0.0.0 0.0.0.0 205.198.114.50 1


    Notice in the above mentioned config there R no corresponding access-
    list statements for some of the static mappings ? will they work with
    this type of static mapping for the DMZ ,
    also there is one Static mapping mapped to the same ip address I
    cannot figure this out
    thirdly there is the 0 0 statement at the end of the static mapping
    what is it for ??
    bruce, Sep 9, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. simon watson

    Overiding Nat statement in PIX

    simon watson, Jul 17, 2006, in forum: Cisco
    Replies:
    2
    Views:
    2,238
    Walter Roberson
    Jul 18, 2006
  2. babygiant
    Replies:
    1
    Views:
    463
    swapnendu
    Oct 5, 2006
  3. Replies:
    2
    Views:
    453
    Frank Winkler
    Feb 28, 2007
  4. brickwalls19

    PIM statement still in config of MSFC

    brickwalls19, May 22, 2007, in forum: Cisco
    Replies:
    0
    Views:
    329
    brickwalls19
    May 22, 2007
  5. Bob Simon

    PIX Static Statement

    Bob Simon, Apr 15, 2008, in forum: Cisco
    Replies:
    0
    Views:
    304
    Bob Simon
    Apr 15, 2008
Loading...

Share This Page